II. Organizational Policies & Procedures

It is critical that policies procedures be loped which
reflect the significance of the information resource

A. Scope Of Security Mechanisms

Security policies specify the rules that govern how
information is to be protected; security mechanisms enforce these policies.
Since a secure system is one that should be part of the total organization, the
scope of the security mechanism may include all the administrative,
procedural, physical, operational and technical aspects of the organization.

B. Basic Goals

Basic goals of a secure system are:

Prevention includes those organizational,
operational and physical methods thought necessary to keep a system secure
from both internal and external penetration;

Deterrence includes those policies, procedures and
actions designed to discourage penetration of the system;

Containment
focuses on keeping sensitive data within the system;

Detection means to find the nature, existence,
presence or fact of the system penetration;

Recovery is the action necessary to restore a
system’s computational capability and data files after a system failure or
penetration. A disaster plan is part of recovery.

C.
Written Management Policies & Procedures

Once sensitive data are identified, and policies
and procedures for handling sensitive data have been established, these policies
and procedures must be communicated to those who are affected. A variety of
methods including training and a security manual may be used for communicating
this information.